vanheusden.com

Entropy Broker

What is it?

Entropy Broker is an infrastructure for distributing cryptographically secure random numbers (entropy data) from one or more servers to one or more clients.
Entropy Broker allows you to distribute entropy data (random values) to /dev/random devices from other systems (real servers or virtualised systems). It helps preventing that the /dev/random device gets depleted; an empty /dev/random-device can cause programs to hang (waiting for entropy data to become available). This is usefull for systems that need to generate encryption keys, run VPN software or run a casino website. Also virtual systems that have no good sources of entropy like virtual servers (e.g. VMware, XEN and KVM (altough KVM has the virtio_rnd driver)).
Entropy Broker is an infrastructure consisting of client-daemons that fill /dev/random and server-daemons that feed the central entropy broker-server. The server-daemons can gather random values by measuring timer frequency noise, analysing noise from a unused audio-device, noise from a video source (webcam, tv-card) and random values from a real hardware RNG (random number generator).

How it works

It uses the blowfish encryption algorithm to stir the entropy data into the (4096 bits in size) pools. It has a configurable number of pools (default 14). To extract entropy data, it calculates a SHA512 hash, folds it in half and then returned as data. After that the hash is used to permutate the pool again. For each blowfish invocation, the initial vector is rotated 1 bit - it is initialized with 64 bit taken from the local system-PRNG. It uses this method to determine the number of bits of information in the data delivered by the entropy-gather-servers.

Example infrastructure

Click on picture to zoom-in:


Download

GitHub

Entropy Broker itself

EntropyBroker is written in C.
Latest stable release:eb-0.7.tgz
eb-0.6.tgz
eb-0.4.tgz
eb-0.3.tgz
eb-0.2.tgz
eb-0.1.tgz

Add-ons

Java connector library:eb-javaconnector-0.7-002.tgz
eb-javaconnector-0.7.tgz

Changes

0.7: entropybroker can now also act as an EGD (entropy gathering daemon) itself, this functionality is compatible with at least OpenSSL
0.6: added support for the EGD (entropy gathering daemon) unix domain socket interface so that EntropyBroker can also retrieve entropy data from an EntropyKey
0.4: now configurable via configfiles, added lots of configurable settings, added new sanity check (serial correlation coefficient)
0.3: sever_stream now also supports serial devices, using -o the server_*cpp daemons write their output to a file instead of the eb-server, added FIPS 140-2 test
0.2: time-outs added, fixed buffer overruns
0.1: initial release